The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Tumblr posted a blog post Tuesday night warning users to change their passwords and released a very important security update for iOS users after identifying a breach that compromised their passwords. It seems that, under certain circumstances, the prior versions of the iPhone and iPad apps would allow an individual with malicious intent to sniff or intercept passwords as they are in transit across a local network. The problem arose because the iPad and iPhone apps fail to log users in through a secure server.  The vulnerability does not seem to have affected Tumblr's Android app. The company urged users to download the latest version of the Tumblr app, which is available in the Apple iTunes Store. The company did not provide further details on the breach. It's also good practice to use different passwords across different services by using an app like 1Password or LastPass. It doesn't appear that any passwords got in the hands of malicious individuals, t...

Recent disclosures by whistleblower Edward Snowden claiming that internet traffic is being intercepted and used by the Americans in their war on terror, force to re-think about the user's privacy and online anonymity. It has been relatively common knowledge for years that wherever we go on the web, we leave clear tracks, so it shouldn't really have come as much of a surprise to discover this has been going on. The best thing you can do to stay anonymous online is to hide your IP address . If someone knows your IP address, it is the easiest way to trace your online activity back to you and they can easily determine the geographic location of the server that hosts that address and get a rough idea of where you're located. TOR is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. Browsing with TOR is a lot like simultaneously using hundreds of different proxies that are randomized periodically. ...

TrueCaller, a popular app built by a Swedish company and world's largest collaborative phone directory compromised by Syrian Electronic Army hackers. Truecaller was running an outdated version (3.5.1) of blogging software WordPress for its web interface and there are millions of Phonebook records available in their database that were reportedly stolen by hackers, as claimed on their twitter account. Syrian Electronic Army also claimed that the database contains million of access codes of Facebook, Twitter, Linkedin, Gmail Accounts of different users, that can be used to post update from compromised Accounts. In total, the hackers claimed to downloaded more than 7 databases fro Truecaller server of 450GB in size. At the time of reporting this news, Truecaller website is still under maintenance and index page saying, " We are doing some upgrades. Thank you for your patience ." SEA also posted a database screenshot on twitter, showing the phonebook l...

Researchers at mobile security firm Lookout discovered a security flaw in Google Glass which allowed them to capture data without the user's knowledge, when the user merely took a photo that captured a malicious QR code. Lookout was able to force Google Glass to silently connect to a Wi-Fi access point, which let the researchers view all of the data flowing to and from the device. When combined with an Android 4.0.4 web vulnerability , the hack apparently gave researchers full control of the Glass headset. The problem was that Google Glass could be told to execute a QR code without the user having to give permission. Because of Glass's limited user interface, Google set up the device's camera to automatically process any QR code in a photograph. In a video posted on YouTube, Lookout Security described the vulnerability: " That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud ." said Mar...

Android Security Squad, the China-based group that  uncovered a second Android master key vulnerability that might be abused to modify smartphone apps without breaking their digital signatures.  The whole point of digitally signing a document or file is to prove the file hasn't been modified. The process uses a form of public-key cryptography . In Chinese version of hacking attack, malicious code can be added into the file headers, but the method is limited because targeted files need to be smaller than 64K in size. APK files are packed using a version of the widespread ZIP archiving algorithm. Most ZIP implementations won't permit two same-named files in one archive, but the algorithm itself doesn't forbid that possibility. So basically, two versions of the classes.dex file are placed inside of the package, the original and a hacked alternative. When checking an app's digital signature, the Android OS looks at the first matching file, but when act...